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1 Introduction and objectives 


The universal use of electronic communications services and networks is changing 
social and commercial relationships, and the way in which societies communicate 
and express themselves, as well as the amount and nature of information to which 
both citizens and companies have easy access. As a result of this, personal 
information is increasingly being processed, both in the context of personal or 
professional activities, and within the scope of the provision of digital services to 
clients and/or users. 


As provider of these types of services, Telefonica firmly believes that the adequate 
access and processing of this information offers great opportunities for enriching the 
lives of citizens and contributing to the development of societies. 


Telefonica respects the rights and freedoms of individuals, among which is the 
fundamental right to the protection of personal data. The Responsible Business 
Principles, the Group’s code of ethics, refers to the need to protect this fundamental 
right and establishes guidelines to this end. 


Telefonica is very much aware of the fact that the trust the customers and other 
stakeholders place in the company is critical and must give them control over their 
personal information (as “Data Subjects” in the sense defined in the present Policy), 
which is why the present Telefonica Corporate Privacy Policy is issued with the goal 
of strengthening the Group's commitment to the right to privacy of all the people 
whose information Telefonica has access to. 


Thus, the present Policy establishes the general guidelines that Telefonica, as 
leading company in the industry, and in the development of standards of trust in its 
commercial relations, must progressively implement not only with a view to 
compliance of the legal provisions in force in each jurisdiction, but also to set a 
common general approach for the entire Group in terms of privacy. 


For purposes of clarification, said general guidelines are subject to further and later 
development in more specific commitments, either general, or within any of the 
companies or groups of companies that are part of the Telefonica Group, taking into 
account the different starting points and the level or difficulty of implementation and 
specific actions required to promote the adequate observance of the aforementioned 
guidelines. 


To this effect, the model of privacy governance established in section 9 of the present 
Policy is essential, as it will ensure a swift and efficient deployment of the actions 
required to comply with the guidelines. 


For purposes of clarification, the present Policy refers to the privacy of the information 
of physical persons. Telefonica also ensures the protection of information and data 
of legal entities and will comply with what is established in applicable national law. 
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2 Scope of application 


This Policy constitutes a Corporate Policy, and, as such, is to be applied in all 
Telefonica Group companies. 


In its condition as parent company of the Group, Telefonica, S.A. is responsible for 
establishing the bases and mechanisms required for an adequate and efficient 
coordination between this Company and the other companies that are part of its 
Group, which, as indicated in the previous section 1, will be subject to further and 
later development through instruments that govern the progressive compliance with 
more specific commitments. 


The above applies without prejudice to and without impairing the autonomous 
decision-making capacity corresponding to each of the companies involved, in 
accordance with their corporate purpose and with the fiduciary duties that the 
members of their management bodies have towards their shareholders. 


3 Principles 


In the processing of personal information, the Telefonica Group will adopt actions aimed 
at protecting the following basic principles: 


Principle of legality 

Principle of transparency 

Principle of commitment to the rights of the stakeholders 
Principle of limitation of the conservation period 
Principle of security 


3.1. Principle of legality 


The Telefónica Group will adopt the actions necessary to ensure that the personal 
information of the Data Subjects Parties that it collects, stores, and processes are 
lawfully and fairly processed. 


The processing should comply with the obligations that result from the applicable legal 
framework, taking into account its characteristics and geographical scope and the rest 
of the provisions included in this Corporate Policy. In any case, the Telefónica Group will 
adhere to, with particular attention: 


e the securing of the consent of the Data Subject or, as the case may be, the 
existence of any other lawfulness condition in the applicable legislation. 


e the need for processing and the legitimate purpose of said processing. The 
personal information will be collected for legitimate purposes, and will not be 
subsequently processed in a manner incompatible with said purposes. 
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3.2. Principle of transparency 


The Telefonica Group will adopt the measures necessary to guarantee that the Data 
Subjects be provided with information that is easily accessible and understandable about 
the personal information that it collects, stores, and processes. 


Among other measures, the Data Subjects will be provided with the following information: 
a) Type of information collected 


At Telefonica, different types of personal information are collected from our users, 
either directly because the information is provided (Such as name, surnames, 
address, bank account, personal preferences, etc.), or indirectly through the use of 
our services (locational data, calling data, content viewing data, etc.) or from 
legitimate third party sources. 


b) How information is collected 
This information is collected in different ways and through different channels. 


All Data Subjects will be informed about how their information is collected when they 
access the products and/or services and/or channels of communication. 


c) Purpose of the collected information 


The information of the Data Subject may be used for different purposes depending 
on the type of information collected. 


The Data Subject must be informed about the purpose for which its information will 
be used. 


d) Personal Data retention 


The Data Subject will be informed of the period for which the personal data will be 
stored, or the criteria used to determine that period the way to erasure it, when 
applicable, and what happens when a user deletes his/her account. 


In every case, Telefónica reserves the right to use information collected from the 
Data Subjects in anonymous format. 


e) Transfer of the information 


The Data Subject will be informed about what category of information is going to be 
transferred, the recipients or categories of recipients and for what purpose. 
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3.3. Principle of respect for the rights of the Data 
Subject 


Telefonica must offer Data Subjects clear and simple mechanisms to guarantee and 
ensure the correct exercise of the rights of the Data Subject, in accordance with the 
applicable legal framework, such as the right of access, rectification, deletion, opposition, 
, the right to withdraw consent at any time, and the right to present complaints. 


The Telefónica Group must facilitate the exercise of these rights in the deadlines and 
terms established in the corresponding legal system of the country and/or region. 


The Telefonica Group provides its employees, customers, contractors, or any other 
Interested titleholder to personal information included in the databases and/or 
information systems owned by Telefonica Group entities, communication channels to file 
requests, queries, and complaints so that they may exercise applicable rights that 
correspond to them. 


The Telefónica Group agrees to respond to these requests, queries, and complaints 
quickly and within the periods determined by the applicable regulations. 


3.4. Principle of limitation of the conservation period 


The Telefónica Group will not retain the personal information of the Stakeholder for 
longer than the periods of time permitted in each jurisdiction’s legislation. 


3.5. Principle of security of processing 


The Telefonica Group will apply, in all of the processing cycle phases, the technical and 
organizational measures required to ensure a level of security adequate to the risk to 
which the personal information may be exposed and, in any case, in accordance with 
the security measures established in the law in force in each of the countries and/or 
regions in which it operates and Telefonica’s internal regulations for Security. If at any 
moment this security is compromised, Telefonica will act swiftly and responsibly. 


The Telefonica Group will be particularly diligent in the analysis of those data processing 
situations that potentially place the rights and freedoms of the Data Subjects at high risk. 


Likewise, Telefonica will at all times protect the confidential nature of the information of 
the Data Subjects, in accordance with Telefonica’s internal regulations for the 
classification and processing of Information. 
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4 Conditions for consent 


Telefónica will facilitate to Data Subjects clear and transparent information regarding the 
use and storage of their personal information so that they may consent in a freely given, 
specific, informed and unambiguous manner with respect to the proposed processing of 
said information. 


5 International transfer of information 


The information provided by Data Subjects may be transferred internationally to Group 
companies and third parties for its processing subject to the requirements established 
by the legislation applicable in each country or region, and to the international 
agreements, where the different Telefonica Group entities operate. 


In this regard, the Telefónica Group, either as Data Processor and/or Data Controller, 
will protect the rights of Data Subjects in the international transfer of personal information 
to third countries, and will, in observance, at all times, of the Group’s security standards 
and the applicable legislation in this matter. 


Likewise, Telefonica also considers the application of the Binding Corporate Rules (BCR) 
that offer adequate guarantees in case of transfers between Group companies, which 
would be applicable in the countries where BCRs is an adequate instrument for 
international transfers according to the applicable legislation. 


6 Privacy of minors 


The Telefónica Group is committed to the privacy rights of minors, the protection of their 
personal information, and the promotion of the responsible use of technology. 


7 Privacy in the supply chain 


The Telefonica Group, as Data Controller, will provide contractually that any supplier that 
acts under its authority and which has access to the personal information of the Data 
Subjects for which it is responsible, will only be able to process said information by 
following its instructions and, in every case, in a secure manner through the adoption of 
the necessary technical and organizational security measures, and full compliance with 
the applicable law and internal regulations. 


Thus, each Data Controller will prioritize the choice of suppliers that act as Data 
Processor so as to ensure compliance with the data protection legislation applicable to 
the processing in question, as well as with this Corporate Policy. 
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8 Privacy by design 


Telefonica embraces the principles of privacy by design and accountability in the 
development of its products and services in order that, from its initial conception, they 
incorporate the applicable data protection requirements. 


9 Requests by competent authorities 


Telefonica is subject to the legal environments in which it operates, meaning that, in 
exceptional circumstances and always within the express provisions of national laws, it 
must respond to the requirements of the competent authorities related to certain 
information about the communications of its customers and/or users. 


Telefonica, in all of these cases, implements a strict global procedure that guarantees 
both compliance with our obligations regarding collaboration with judicial authorities and 
competent authorities, and the protection of the rights to privacy and freedom of 
expression of the affected parties. 


Telefonica will periodically publish information about the numbers and types of requests 
it receives from competent authorities in the countries in which it operates. 


10 Organization and Responsibilities 


In order to guarantee the rights, in terms of data protection of Data Subjects and 
companies, with which the Telefonica Group relates, as well as the compliance with the 
applicable laws and this Corporate Privacy Policy, it is important each operating business 
dedicates the appropriate resources to the implementation of this policy. The Telefonica 
Group has set up the corresponding organization, the basic structure of which is as 
follows: 


10.1 Data Protection Officers 


The different Telefonica Group entities and companies must appoint a Data Protection 
Officer (hereinafter, "DPO"). 


Each DPO will be appointed according to his/her professional skills, knowledge and 
experience with respect to data protection, as well as knowledge regarding the 
corresponding business and of the Group as a whole. 


The Telefónica Group considers it appropriate to establish two levels of DPO, global and 
local, in order to better coordinate and observe the compliance of this Corporate Policy 
and other applicable legal and internal regulations. 


-10- 
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10.1.1 Telefonica Group DPO 


The Telefónica Group DPO is the Telefonica Group’s person in charge at corporate level 
of data Protection. The Telefónica Group DPO reports directly to the Telefónica, S.A. 
Board of Directors. 


The main duties and functions of the Telefonica Group DPO are: 


e The global data protection coordination in the Telefonica Group, and the definition 
of the global compliance program in terms of privacy. 


e The supervision of compliance with the current data protection legislation in force. 


e Exchange and advice in terms of the processing of personal data, to the 
Telefonica, S.A. Organization, and to the Group’s local DPOs, as the case may 
be. 


e The implementation and application of the privacy and data protection policies, 
and the assessment of new related projects. 


e The performance of the duties which, in general, may be attributed to him/her by 
the applicable legislation (i.e., those established in the European General Data 
Protection Regulation). 


The Telefonica Group DPO leads and coordinates the Global DPO Office which plays a 
double role: on the one hand, it takes on direct responsibility over the compliance 
program in matters of privacy in the global and corporate scope, and, on the other, the 
guarantee of the implementation of the program within the Telefonica Group. 


10.1.2 Local DPO 


The Local DPO (or person in charge of privacy at local level, regardless of the 
terminology adopted in applicable legislation), is the person responsible for the protection 
of personal data in one or several Telefonica Group companies located in a specific 
country/region, or within a specific area of activity 


The main functions of the Local DPO are: 


e Advisory with respect to data protection, for the business units within his/her 
scope of responsibility. 


e Supervision of compliance with the applicable law and this Privacy Policy within 
his/her scope of responsibility. 


e Exchange and coordination with the Telefonica Group DPO for the purpose of 
implementing the global compliance program in terms of privacy. 


e Dialogue with Data Subjects and authorities within his/her scope of responsibility. 
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e The performance of the duties which, in general, may be attributed to him/her by 
the applicable legislation (i.e. those established in the European General Data 
Protection Regulation). 


10.2. Relationship structure 


Without prejudice of the duties and responsibilities of the Telefonica Group DPO and that 
of the local DPOs, the Telefonica Group, in order to better implement the privacy 
compliance program, deems it necessary to create a relationship structure for the 
purposes of supporting, coordinating, assessing, and proposing lines of action in relation 
to said program. and, in general, with respect to compliance with Data Protection 
legislation. 


In particular, the Telefonica Group considers appropriate to establish the following formal 
relationship channels (through regular interactions and, in particular, the convening of 
the Committees that will be set up for this purpose): 


i. Transversal relationships: based on the premise of the importance of the 
Telefonica Group global units, in contributing to the successful 
implementation of the privacy compliance program, each within their scope 
of responsibility; for this reason, a continuous relationship with the DPO 
Global Office musty be maintained. The following units, amongst others, are 
included in this group: Security, General Secretariat/Legal Services, 
Regulation and Institutional Affairs, Technology, Chief Data Officer, 
Compliance, Corporate Ethics and Sustainability, and Internal Audit. 


ii. Business relationships: ultimately, the business units are responsible for the 
implementation of the privacy compliance program, meaning that their own 
internal regulations and business processes must at all times take into 
consideration said program; with this goal, interfaces that guarantee the 
interaction with the DPO Global Office, or the Local DPO, respectively, will 
be appointed both in Telefónica, S.A. and in those business units in which 
this is been deemed appropriate. 


jii. Relationship between business units: under the coordination of the DPO 
Global Office, the coordinated with the local DPOs will be ensured for the 
purposes of monitoring the compliance program in terms of privacy, and for 
the review of problems that affect the set of organizations. 


11 Training and awareness 


The Telefónica Group is aware that the gradual elevation of standards of compliance 
with the applicable legislation as well as the Telefónica Group’s internal regulation in 
terms of privacy and data protection, is conditional upon the generation of a company 
culture based on understanding and knowledge on the part of its employees and the 
parties that are part of its supply chain. 
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The generation of such culture in turn requires training and awareness initiatives to be 
developed within the framework of Telefonica’s comprehensive training and 
communication plans, in first instance for employees, and to the extent possible, for the 
third parties that interact with Telefonica. 


12 Monitoring and control 


In its commitment to continuous supervision and improvement, the Telefónica Group, 
and each company that belongs to it, periodically submits its processing of personal data 
to internal or external controls and/or audits in order to verify the correct compliance with 
the legal regulations applicable to each entity, as well as with this Corporate Policy, and 
the regulations and procedures that develop it, determining degrees of compliance, and 
recommending corrective measures. 


In particular, the present Policy may be the subject of development of regulation that 
establishes the mechanisms necessary for the supervision and control of its compliance 
and control. 


In those data processing activities in which the Telefónica Group is Data Controller, it 
may require, by contract, from those Data Processors with which it works, audit or 
certification mechanisms in order to ensure that these entities offer sufficient guarantees 
to carry out their processing operations. 


13 Internal Audit 


The observance and compliance with this rule by the different areas of the Company will 
be subject to review and supervision by the Internal Audit area, who will be authorized 
to carry out the sampling supervisions of the controls established herein whenever it 
deems convenient. 


14 Review and modifications 


This document must be revised to adapt to Organisational, legal or business changes 
that take place, in order to maintain its applicability, sufficiency and effectiveness. 
Otherwise, it must be revised according to the periodicity put forth in the “Corporate 
Regulations for the Elaboration and Organisation of the Telefónica Group’s Regulatory 
Framework.” 


This Corporate Policy will be periodically reviewed, taking into consideration any 
organizational, legal, or business changes that may take place. 


The reviews of the Policy, insofar as they affect the conditions of privacy with 
stakeholders agreed upon by the Telefónica Group, will be subject to timely publication 
and communication. 


Pale 
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15 Implementation and application 


This Corporate Policy will enter into effect on the day of its approval by the Board of 


Directors. 


16 Glossary of terms 


The following is a list, in order of appearance in the present document, of the main terms 
defined used throughout said present document. 


“Corporate Policy” 


"Telefónica 
Telefónica" 


Group 


“Personal data or 
information” 


personal 


“Processing” 


LLI D]210 ha 


"Data Controller " 


"Data Processor " 


Refers to this Telefónica Group Corporate Privacy 
Policy. 





Refers to Telefónica, S.A. and all the entities 
belonging to its business group regardless of their 
residence (inside or outside the EU), and their legal 
form. 





Refers to any information about an identified or 
identifiable natural person (in this document 
referred to as the "Data Subject"). 





Refers to any operation or set of operations carried 
out on personal information or sets of personal 
information, either by automated procedures or not. 





Refers to the figure of the Data Protection Officer as 
defined in section 9 of this Corporate Policy. 





Refers to the entity that, alone or together with 
others, determines the purposes and means of the 
processing. 








Refers to the natural or legal person, public 
authority, agency or other body which processes 
personal information on behalf of the Data 
Controller. 





Any other term not defined in the present shall have the meaning that, as the case may 
be, is determined by the Corporate/local regulation applicable to each Telefónica Group 


entity. 
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